X-Git-Url: http://git.iain.cx/?a=blobdiff_plain;f=.profile.d%2Fkrb5.bashrc;h=979bd710267f6a81ff4ddfe9abac3595780f0a0a;hb=8fbd163e15300ebf2df0789cf0a9c66b415c5ce1;hp=3bf40eb4ad8a95ab965cede8fb5a67f4639c4370;hpb=660f496b9c001ed24521f65b1eebe69a499ab10b;p=profile.git

diff --git a/.profile.d/krb5.bashrc b/.profile.d/krb5.bashrc
index 3bf40eb..979bd71 100644
--- a/.profile.d/krb5.bashrc
+++ b/.profile.d/krb5.bashrc
@@ -3,7 +3,7 @@ alias pssh='ssh -o preferredauthentications=password,keyboard-interactive'
 
 if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
   if tty -s; then
-    if [ $UID -gt 0 ]; then
+    if [ ! "$SUDO_UID" ]; then
       if klist -s 2>/dev/null; then
         # We already have a ticket cache.  Renew it.
         kinit -R &>/dev/null
@@ -55,14 +55,22 @@ if [ -z "$OLDSOLARIS" -a -z "$OLDREDHAT" ]; then
         # By now we should have found a cache if there's one to find.
         klist -s 2>/dev/null || kinit
       fi
-    elif [ -n "$KRB5CCNAME" ]; then
+    elif [ ! -z "$KRB5CCNAME" ]; then
       # Don't break permissions of inherited cache under sudo.
       cache="${KRB5CCNAME##FILE:}"
       if [ ! "$cache" = "$KRB5CCNAME" ]; then
-        ccname="${cache/_$SUDO_UID/_sudo_$SUDO_UID}_$$"
-        cat "$cache" > "$ccname"
+        ccname="${cache/_$SUDO_UID/_${UID}_sudo_$SUDO_UID}_$$"
         export KRB5CCNAME="FILE:$ccname"
-        klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit
+        if cat "$cache" > "$ccname" 2>/dev/null; then
+          klist -s 2>/dev/null && kinit -R 2>/dev/null || kinit $PRINCIPAL
+        else
+          # XXX: Don't kinit every time if we aren't root.
+          # TODO: Split the "set my cache" and "get my credentials" parts so
+          #       that becoming a user other than root will work without
+          #       extraneous kinits.
+          rm "$ccname" 2>/dev/null
+        fi
+        trap "kdestroy 2>/dev/null" EXIT
       fi
     fi
   fi